The Department of Health and Human Services (HHS) released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events. Continue Reading
In less than one week, on August 1, U.S. companies may begin to submit self-certifications to the EU-U.S. Privacy Shield framework at www.privacyshield.gov. Those companies that previously certified to the predecessor Safe Harbor framework are in a particularly good position to certify to the Privacy Shield, which built upon Safe Harbor’s core principles by adding meaningful substantive and procedural privacy protections for EU individuals.
The U.S. Department of Education and Department of Justice (“Departments”) recently weighed in on the obligations of school districts, colleges, and universities to provide civil rights protections for transgender students. On May 13, 2016, the Departments issued a Dear Colleague Letter (“DCL”) that summarizes the responsibilities of school districts, colleges, and universities that receive federal financial assistance under the Departments’ interpretation of federal law, including Title IX of the Education Amendments of 1972 (“Title IX”) and the Family Education Rights and Privacy Act (“FERPA”). Here, we focus on the DCL’s guidance pertinent to compliance with FERPA. Continue Reading
The much anticipated Privacy Shield framework for the transfer of data between the EU and U.S. received final approval from the European Commission on 12 July 2016. With this important data transfer mechanism available to companies at the beginning of August, the Hogan Lovells Privacy and Cybersecurity team will answer your questions in a webinar Wednesday, 27 July.
CLE credit will be available.
With the recent approval of the EU-US Privacy Shield framework and the ability to start filing online registrations on 1 August, many companies have questions about the advantages and disadvantages of Privacy Shield as compared to other cross-border transfer mechanisms to cover trans-Atlantic data flows.
To answer your questions, we publish here International Data Transfers – Considering your options, a high-level analysis of the EU cross-border transfer options for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Privacy Shield, and Consent—and the pros and cons of choosing each one.
On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes.
With attention to connected car cybersecuity issues increasing globally, the European Union Agency for Network and Information Security (ENISA) is leading the EU’s first bloc-wide initiative to identify cybersecurity rules of the road for connected cars. On July 13, ENISA announced a study aimed at creating a comprehensive list of cybersecurity policies, tools, standards, and measures to enhance security in next-generation automobiles. ENISA will include interviews with relevant stakeholders like car manufacturers and Tier 1 and 2 suppliers and solicit feedback on its findings at an open workshop October 10 in Munich, Germany. The study will also be reviewed by members of ENISA’s CaRSEC Expert Group, a collection of government, private, and public-sector experts knowledgeable about cybersecurity as it relates to car manufacturing, vehicular hardware and software, road standards, and car security. At the end of the study, ENISA will provide recommendations on how to enhance smart car security for EU consumers.
A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” See In the Matter of a Grand Jury Subpooena Directed to Marc Rich & Co. v. United States, 707 F.2d 663 (1983) and our earlier blog post on the district court decision.
The Second Circuit focused its analysis on the government’s use of a warrant issued pursuant to section 2703 of the Stored Communications Act (SCA) to obtain the content of emails. Under the SCA, where the U.S. Government seeks the content of emails from an email service provider, the Government must, in certain specified circumstances, use a warrant following the procedures in Rule 41 of the Federal Rules of Criminal Procedure. The court concluded that Rule 41, with the exception of certain diplomatic operations, only allows for magistrate judges to issue warrants for information stored in the United States. Moreover, the court found “Congress did not intend the SCA’s warrant provisions to apply extraterritorially,” citing the presumption against extraterritorial application of United States statutes absent a clear contrary intent.
Although the court acknowledges that “domestic contacts” can eliminate concerns of extraterritoriality in a given case, the court found that in this case, the SCA’s focus on the “privacy of the content of a user’s stored electronic communications” tipped the balance in favor of the presumption against extraterritorial application of the SCA. The court addressed earlier cases where subpoenas were issued to businesses that owned the information sought, finding that compelling the production of information stored abroad from the owner of the information is distinguishable from compelling the production of information stored abroad from a caretaker of that information. The court also noted the importance of international comity that “ordinarily govern the conduct of cross-boundary criminal investigations.”
This case could have a significant impact on cloud providers’ decisions to store information abroad. It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy. Continue Reading
On 12 July 2016, the European Commission issued its much awaited “adequacy decision” concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. This adequacy decision is based on the latest version of the Privacy Shield, which was further negotiated and revised following the Article 29 Working Party’s April 2016 concerns with the terms of the original Privacy Shield framework.
Many of our clients have questions about Privacy Shield—what it is, when it will be available for use, and how it differs from other data transfer mechanisms, among others. We have prepared a blog post to answer these questions about the updated version of Privacy Shield and its implications for companies engaging in trans-Atlantic data flows. Continue Reading
Julie Brill, Hogan Lovells partner, and co-head of our global privacy and Cybersecurity practice, recently commented on the EU-US Privacy Shield for the EurActiv publication. Her comments are republished here, with permission:
The free flow of data is essential to an ever-growing segment of the global economy. Yet some policymakers and advocates, citing privacy concerns, have called for shutting off the faucet and restricting data flow, to the detriment of European consumers and European businesses, both small and large.
With cooler heads and a laser-like focus on the best interests of all European citizens, the European Commission and the US Department of Commerce have been tirelessly working to build a better framework for maintaining a seamless flow of data across the Atlantic in a manner that respects the privacy of European citizens.
After much debate, a major European court opinion, and at least one act of Congress to address the issue, a solution is at hand that will enhance real, enforceable privacy protections on both sides of the Atlantic.